Commit a331278d authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

docs(authentication): simplify code excerpt to obtain token

parent 9b9bb340

README.md

+13 −8
Original line number Diff line number Diff line
@@ -88,20 +88,25 @@ You're free to enable whichever or both, and you can also choose your deployment 


This template supports token authentication only.

Tokens associated with OpenShift user accounts are only valid for 24 hours.

To generate a token that never expires you need to create a new [service account](https://docs.openshift.com/container-platform/latest/authentication/understanding-and-creating-service-accounts.html).

To generate a token that never expires you need to [create and use a service account token](https://docs.openshift.com/container-platform/latest/nodes/pods/nodes-pods-secrets.html#nodes-application-secrets-creating-using-sa_nodes-pods-secrets).



Follow these steps:



```bash

oc create serviceaccount cicd

oc policy add-role-to-user <role_name> system:serviceaccount:<your_project_name>:cicd -n <your_project_name>

# below command displays `serviceaccount-token-name` (ex: cicd-token-l9tdx)

oc get secrets --field-selector type=kubernetes.io/service-account-token -n <your_project_name> | grep cicd | head -1 | cut -d " " -f 1

# use this `serviceaccount-token-name` to get secret with jq

oc get secret <serviceaccount-token-name> -o json -n <your_project_name> | jq -r .data.token | base64 -d

# create a service account

oc create serviceaccount cicd -n <your_project_name>

# ⚠ don't forget to add required role(s) (ex: basic-user & edit)

oc adm policy add-role-to-user <role_name> system:serviceaccount:<your_project_name>:cicd -n <your_project_name>

# retrieve service account's token name(s)

oc describe serviceaccount cicd -n <your_project_name>

# get service account token from the secret

oc describe secret <token_name> -n <your_project_name>

# test the token

oc get all --token=<token>

# this token can be used to authenticate ;)

```



:warning: don't forget to replace `<your_project_name>` with your OpenShift project name and `<role_name>` with the appropriate role (ask your OpenShift support).

:warning: don't forget to replace `<your_project_name>` with your OpenShift project name and `<role_name>` with the appropriate role (ask your OpenShift support). See [default cluster roles](https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html#default-roles_using-rbac).



### Deployment context variables